Tool
Splunk
12,787 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,787Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Show query
any where ((Image:"*\\reg.exe" or OriginalFileName:"reg.exe") and (CommandLine like~ ("*\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start*", "*\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start*")) and (CommandLine:"*add*" and CommandLine:"*0*")) and (not CommandLine:"*0x00000001*")Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\reg.exe") or OriginalFileName=="reg.exe") and (CommandLine like "*\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start*" or CommandLine like "*\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start*") and CommandLine like "*add*" and CommandLine like "*0*" and not CommandLine like "*0x00000001*"
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Show query
((Image:*\\reg.exe OR OriginalFileName:reg.exe) AND (CommandLine:(*\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start* OR *\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start*)) AND (CommandLine:*add* AND CommandLine:*0*)) AND (NOT CommandLine:*0x00000001*)
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Show query
any where userAgent:"*azurehound*" and ResultType:0
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Show query
from * metadata _id, _index, _version | where userAgent like "*azurehound*" and ResultType==0
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Show query
userAgent:*azurehound* AND ResultType:0
Dllhost.EXE Execution Anomaly
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Show query
any where (Image:"*\\dllhost.exe" and (CommandLine like~ ("dllhost.exe", "dllhost"))) and ?CommandLine != nullDllhost.EXE Execution Anomaly
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\dllhost.exe") and (CommandLine in ("dllhost.exe", "dllhost")) and not CommandLine is nullDllhost.EXE Execution Anomaly
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Show query
(Image:*\\dllhost.exe AND (CommandLine:(dllhost.exe OR dllhost))) AND _exists_:CommandLine
Domain Added to Google Workspace Trusted Domains
Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in
order to collect and exfiltrate data from their target’s organization with less restrictive security controls.
DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Show query
any where (Image like~ ("*\\cmstp.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\msxsl.exe", "*\\regsvr32.exe", "*\\wmic.exe", "*\\wscript.exe")) and (ImageLoaded like~ ("*\\clr.dll", "*\\mscoree.dll", "*\\mscorlib.dll"))DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\cmstp.exe") or ends_with(Image, "\\cscript.exe") or ends_with(Image, "\\mshta.exe") or ends_with(Image, "\\msxsl.exe") or ends_with(Image, "\\regsvr32.exe") or ends_with(Image, "\\wmic.exe") or ends_with(Image, "\\wscript.exe")) and (ends_with(ImageLoaded, "\\clr.dll") or ends_with(ImageLoaded, "\\mscoree.dll") or ends_with(ImageLoaded, "\\mscorlib.dll"))
DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Show query
(Image:(*\\cmstp.exe OR *\\cscript.exe OR *\\mshta.exe OR *\\msxsl.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\wscript.exe)) AND (ImageLoaded:(*\\clr.dll OR *\\mscoree.dll OR *\\mscorlib.dll))
Elastic
Converted
EQL
high
Driver Added To Disallowed Images In HVCI - Registry
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
Show query
any where TargetObject:"*\\Control\\CI\\*" and TargetObject:"*\\HVCIDisallowedImages*"
Elastic
Converted
ES|QL
high
Driver Added To Disallowed Images In HVCI - Registry
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Control\\CI\\*" and TargetObject like "*\\HVCIDisallowedImages*"
Elastic
Converted
Lucene
high
Driver Added To Disallowed Images In HVCI - Registry
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
Show query
TargetObject:*\\Control\\CI\\* AND TargetObject:*\\HVCIDisallowedImages*
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Show query
any where ImageLoaded:"*\\Temp\\*"
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Show query
from * metadata _id, _index, _version | where ImageLoaded like "*\\Temp\\*"
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Show query
ImageLoaded:*\\Temp\\*
Dumping Account Hashes via Built-In Commands
Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump
credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for
lateral movement.
Dumping of Keychain Content via Security Command
Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the
built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi
and website passwords, secure notes, certificates, and Kerberos.
Dumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Show query
any where (Image:"*\\reg.exe" or OriginalFileName:"reg.exe") and (CommandLine like~ ("* save *", "* export *", "* ˢave *", "* eˣport *")) and (CommandLine like~ ("*hklm*", "*hk˪m*", "*hkey_local_machine*", "*hkey_˪ocal_machine*", "*hkey_loca˪_machine*", "*hkey_˪oca˪_machine*")) and (CommandLine like~ ("*\\system*", "*\\sam*", "*\\security*", "*\\ˢystem*", "*\\syˢtem*", "*\\ˢyˢtem*", "*\\ˢam*", "*\\ˢecurity*"))Dumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\reg.exe") or OriginalFileName=="reg.exe") and (CommandLine like "* save *" or CommandLine like "* export *" or CommandLine like "* ˢave *" or CommandLine like "* eˣport *") and (CommandLine like "*hklm*" or CommandLine like "*hk˪m*" or CommandLine like "*hkey_local_machine*" or CommandLine like "*hkey_˪ocal_machine*" or CommandLine like "*hkey_loca˪_machine*" or CommandLine like "*hkey_˪oca˪_machine*") and (CommandLine like "*\\system*" or CommandLine like "*\\sam*" or CommandLine like "*\\security*" or CommandLine like "*\\ˢystem*" or CommandLine like "*\\syˢtem*" or CommandLine like "*\\ˢyˢtem*" or CommandLine like "*\\ˢam*" or CommandLine like "*\\ˢecurity*")
Dumping of Sensitive Hives Via Reg.EXE
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Show query
(Image:*\\reg.exe OR OriginalFileName:reg.exe) AND (CommandLine:(*\ save\ * OR *\ export\ * OR *\ ˢave\ * OR *\ eˣport\ *)) AND (CommandLine:(*hklm* OR *hk˪m* OR *hkey_local_machine* OR *hkey_˪ocal_machine* OR *hkey_loca˪_machine* OR *hkey_˪oca˪_machine*)) AND (CommandLine:(*\\system* OR *\\sam* OR *\\security* OR *\\ˢystem* OR *\\syˢtem* OR *\\ˢyˢtem* OR *\\ˢam* OR *\\ˢecurity*))
Dylib Injection via Process Environment Variables
Detects the use of process environment variables (DYLD_INSERT_LIBRARIES or LD_PRELOAD) to inject a shared
library into a binary at or prior to execution. A threat actor may use this technique to load a malicious
shared library for persistence, privilege escalation, and defense evasion. This activity is uncommon and
typically indicates malicious behavior.
Dynamic Linker Copy
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup
copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to
inject and preload a malicious shared object file. This activity should never occur and if it does then it should be
considered highly suspicious or malicious.
Dynamic Linker Modification Detected via Defend for Containers
This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a
container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the
dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to
grant unauthorized access to system resources and has been used to evade detection of malicious processes in container
environments.
EKS Authentication Configuration Modified
Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and
users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a
mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node
replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects.
Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and
updated only during node group or access configuration changes.
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Show query
any where Image:"*/esxcli" and CommandLine:"*system*" and (CommandLine:"* permission *" and CommandLine:"* set*" and CommandLine:"*Admin*")
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/esxcli") and CommandLine like "*system*" and CommandLine like "* permission *" and CommandLine like "* set*" and CommandLine like "*Admin*"
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Show query
Image:*\/esxcli AND CommandLine:*system* AND (CommandLine:*\ permission\ * AND CommandLine:*\ set* AND CommandLine:*Admin*)
ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
any where (EventID:4657 and ObjectName:"*\\SOFTWARE\\Microsoft\\.NETFramework" and ObjectValueName:"ETWEnabled" and NewValue:0) or (EventID:4657 and ObjectName:"*\\Environment*" and (ObjectValueName like~ ("COMPlus_ETWEnabled", "COMPlus_ETWFlags")) and NewValue:0)ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
from * metadata _id, _index, _version | where EventID==4657 and ends_with(ObjectName, "\\SOFTWARE\\Microsoft\\.NETFramework") and ObjectValueName=="ETWEnabled" and NewValue==0 or EventID==4657 and ObjectName like "*\\Environment*" and (ObjectValueName in ("COMPlus_ETWEnabled", "COMPlus_ETWFlags")) and NewValue==0ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
(EventID:4657 AND ObjectName:*\\SOFTWARE\\Microsoft\\.NETFramework AND ObjectValueName:ETWEnabled AND NewValue:0) OR (EventID:4657 AND ObjectName:*\\Environment* AND (ObjectValueName:(COMPlus_ETWEnabled OR COMPlus_ETWFlags)) AND NewValue:0)
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
any where (TargetObject:"*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" and Details:"DWORD (0x00000000)") or ((TargetObject like~ ("*\\COMPlus_ETWEnabled", "*\\COMPlus_ETWFlags")) and (Details like~ (0, "DWORD (0x00000000)")))ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled") and Details=="DWORD (0x00000000)" or (ends_with(TargetObject, "\\COMPlus_ETWEnabled") or ends_with(TargetObject, "\\COMPlus_ETWFlags")) and (Details in (0, "DWORD (0x00000000)"))
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
(TargetObject:*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled AND Details:DWORD\ \(0x00000000\)) OR ((TargetObject:(*\\COMPlus_ETWEnabled OR *\\COMPlus_ETWFlags)) AND (Details:(0 OR DWORD\ \(0x00000000\))))
ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
any where CommandLine like~ ("*COMPlus_ETWEnabled*", "*COMPlus_ETWFlags*")ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
from * metadata _id, _index, _version | where CommandLine like "*COMPlus_ETWEnabled*" or CommandLine like "*COMPlus_ETWFlags*"
ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Show query
CommandLine:(*COMPlus_ETWEnabled* OR *COMPlus_ETWFlags*)
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Show query
any where (CommandLine:"*cl*" and CommandLine:"*/Trace*") or (CommandLine:"*clear-log*" and CommandLine:"*/Trace*") or (CommandLine:"*sl*" and CommandLine:"*/e:false*") or (CommandLine:"*set-log*" and CommandLine:"*/e:false*") or (CommandLine:"*logman*" and CommandLine:"*update*" and CommandLine:"*trace*" and CommandLine:"*--p*" and CommandLine:"*-ets*") or CommandLine:"*Remove-EtwTraceProvider*" or (CommandLine:"*Set-EtwTraceProvider*" and CommandLine:"*0x11*")
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Show query
from * metadata _id, _index, _version | where CommandLine like "*cl*" and CommandLine like "*/Trace*" or CommandLine like "*clear-log*" and CommandLine like "*/Trace*" or CommandLine like "*sl*" and CommandLine like "*/e:false*" or CommandLine like "*set-log*" and CommandLine like "*/e:false*" or CommandLine like "*logman*" and CommandLine like "*update*" and CommandLine like "*trace*" and CommandLine like "*--p*" and CommandLine like "*-ets*" or CommandLine like "*Remove-EtwTraceProvider*" or CommandLine like "*Set-EtwTraceProvider*" and CommandLine like "*0x11*"
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Show query
(CommandLine:*cl* AND CommandLine:*\/Trace*) OR (CommandLine:*clear\-log* AND CommandLine:*\/Trace*) OR (CommandLine:*sl* AND CommandLine:*\/e\:false*) OR (CommandLine:*set\-log* AND CommandLine:*\/e\:false*) OR (CommandLine:*logman* AND CommandLine:*update* AND CommandLine:*trace* AND CommandLine:*\-\-p* AND CommandLine:*\-ets*) OR CommandLine:*Remove\-EtwTraceProvider* OR (CommandLine:*Set\-EtwTraceProvider* AND CommandLine:*0x11*)
Elastic Defend Alert Followed by Telemetry Loss
Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint
telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate
endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious
interference with telemetry collection following detection.
Elastic
Original
ESQL
high
Elastic Defend and Email Alerts Correlation
This rule correlates any Elastic Defend alert with an email security related alert by target user name. This may indicate
the successful execution of a phishing attack.
Elastic
Original
ESQL
high
Elastic Defend and Network Security Alerts Correlation
This rule correlate any Elastic Defend alert with a set of suspicious events from Network security devices like Palo Alto
Networks (PANW) and Fortinet Fortigate by host.ip and source.ip. This may indicate that this host is compromised and
triggering multi-datasource alerts.
Elastic
Converted
EQL
high
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
Show query
any where (Image like~ ("*\\powershell.exe", "*\\pwsh.exe")) and (CommandLine:"*Add-PSSnapin*" and CommandLine:"*Get-Recipient*" and CommandLine:"*-ExpandProperty*" and CommandLine:"*EmailAddresses*" and CommandLine:"*SmtpAddress*" and CommandLine:"*-hidetableheaders*")
Elastic
Converted
ES|QL
high
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\pwsh.exe")) and CommandLine like "*Add-PSSnapin*" and CommandLine like "*Get-Recipient*" and CommandLine like "*-ExpandProperty*" and CommandLine like "*EmailAddresses*" and CommandLine like "*SmtpAddress*" and CommandLine like "*-hidetableheaders*"
Elastic
Converted
Lucene
high
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
Show query
(Image:(*\\powershell.exe OR *\\pwsh.exe)) AND (CommandLine:*Add\-PSSnapin* AND CommandLine:*Get\-Recipient* AND CommandLine:*\-ExpandProperty* AND CommandLine:*EmailAddresses* AND CommandLine:*SmtpAddress* AND CommandLine:*\-hidetableheaders*)
Emotet Loader Execution Via .LNK File
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
Show query
any where (ParentImage like~ ("*\\cmd.exe", "*\\explorer.exe", "*\\powershell.exe")) and (Image like~ ("*\\cmd.exe", "*\\powershell.exe")) and (CommandLine:"*findstr*" and CommandLine:"*.vbs*" and CommandLine:"*.lnk*")Showing 1401-1450 of 12,787